Re: [TLS] DH group validation

To: Bodo Moeller <bmoeller at acm.org>
Subject: Re: [TLS] DH group validation
From: Eric Rescorla <ekr at networkresonance.com>
Date: Sat, 20 Oct 2007 12:25:45 -0700
Cc: tls at ietf.org
In-reply-to: <20071017073549.GA26553@tau.invalid>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20071016154947.883D933C21@delta.rtfm.com> <B356D8F434D20B40A8CEDAEC305A1F2404BC2D2B@esebe105.NOE.Nokia.com> <20071017073549.GA26553@tau.invalid>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 17 Oct 2007 09:35:49 +0200,
Bodo Moeller wrote:
> I am hoping that we can agree to (optionally?) include "q" into DH
> parameters for the next version of the standard, allowing for more
> meaningful quick "validation" on the one hand, and for efficiency
> improvements on the other hand.  (Efficiency improvements since if you
> have a 2048-bit p with a 224-bit q, the client has much less work to
> do if it knows it only has to choose an exponent in the range (2, q-1)
> and not a 2048-bit exponent.)  In this case, the client would look
> at the size of q to see if it looks reasonably large, and presumably
> also would check that q is at least one bit longer than q.

Bodo:

I want to make sure I understand this:

1. Is knowing the factorization important in this case? I'm not
   really a DH expert, but this paper http://eprint.iacr.org/2004/099
   seems to argue that if you're digesting ZZ, you don't need to
   know the factorization of p-1. It looks like this may only be
   true if the generator is random? Maybe Hugo can weigh in
   here...

2. This is an optimization only for the client, right? The server at
   least potentially knows the factorization of p-1, so sending 
   this information doesn't make the server any faster.

-Ekr

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] DH group validation
  - From: Bodo Moeller

References:
- [TLS] DH group validation
  - From: Eric Rescorla
- RE: [TLS] DH group validation
  - From: Pasi.Eronen
- Re: [TLS] DH group validation
  - From: Bodo Moeller

Prev by Date: Re: [TLS] DH group validation
Next by Date: Re: [TLS] DH group validation
Previous by thread: Re: [TLS] DH group validation
Next by thread: Re: [TLS] DH group validation
Index(es):
- Date
- Thread

Re: [TLS] DH group validation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.